How two almost rights can become awfully wrong – managing consumer data privacy
Privacy issues online are a daily occurrence; so much so that I get the feeling that for many of us personal privacy is the Titanic in our connected world, and that we might as well abandon it in favour of the iceberg that is big data, and go with the flow. That’s certainly inherent in the naming of Facebook’s new app as 'Home', an indicator of just how much access we have already given away.
Paris Brown lost her job as Kent's youth police commissioner
Last week, however, it was our online history or ‘‘right to be forgotten’’ that was brought into sharp focus. As Kent’s new youth police commissioner discovered this weekend, all those ill-conceived comments and photos that you shared so innocently online have a habit of coming back to haunt you.
Currently there is a fight going on between the UK and EU as to how best legislate one’s ‘right to be forgotten’. Whilst occasionally ‘good’ does come from the EU, like having to opt-in to email, much of the industry is still feeling the sting of the cookie bill, which became a non-issue for consumers, and could have been dealt with without draconian (and unenforceable and expensive) legislation.
In the ‘Right’ corner, Article 17 of the proposed EU act believes that everyone should have the right to remove their digital debris. It will be the service providers’ responsibility to not only promptly comply, but also contact any other third party with whom the content has been shared (!). And for non-compliance, a fine of up to 2 per cent of gross turnover will be applied (!!). This is another potentially unenforceable and extremely expensive regulation, especially for online services that haven’t had to face these issues on a regular basis.
In the other ‘Right’ corner is the UK. The government claims that this is too much of a burden on business and that we in the UK and (other individual countries) should have the right to make their own laws to deal with it; and that the individual should be made personally responsible for contacting each service. This means that businesses may have to deal with at least 27 local variations of the above - which is also problematic.
I find myself somewhat torn on the issue - I firmly believe in privacy rights and the ‘right to be forgotten’, however I also appreciate the complexity, and to an extent futility, of blanket policies when it comes to the internet. They invariably lead to unpleasant unforeseen consequences, and I’m just going to skim the surface on some of the commercial ones.
• A consumer posted up a picture for a competition that they want removed on a dodgy Flash microsite you made a few years back - you've already changed agencies (hopefully dumped Flash) and don't have access to it anymore - what do you do? Take it all down?
• Worse when the real trolls get a hold of you with legislation to sue you, and start marketing their cleansing services on a no-win no-fee basis. They love going after middle-tier businesses, as they are often happy to settle out of court.
• The big guys (Facebook, Google etc.) have already been pulled up on this and still haven't entirely resolved the issue of taking down embarrassing pictures if you didn't put them up there yourself – the copyright is actually owned by someone else, so it becomes a whole world of hurt.
• What fun we’ll have dealing with fake takedown notices as is rife with the DMCA in the US. Split up with your boyfriend? Get him removed from the web!
• It will be abused as an easy way to censor the internet. What if somebody quoted you in a damning article? Or like Reading East MP Rob Wilson, you mistakenly retweeted a link. Redactiontastic! They say they want to protect freedom of expression but actually the best way to do that is to allow people to express themselves freely, not make ‘an exemption’, which is one of the key criticisms of the bill.
So can we affect the outcome of this battle? Probably not, and in many ways it doesn’t really matter. Consumers demand and deserve the right, so whether it’s poorly legislated or self-regulated, anybody who provides any kind of online service will be affected.
1. Allowing consumers to easily delete their own data is simply best practice. Most modern platforms already have this functionality built in, but if it was built bespoke, it may require more development.
2. You may want to look at your data, terms of service and privacy policies now, as opposed to later. Blanket legislation will overrule your own - and it’s a positive action to give your consumers more control over their data - updating them shouldn't be a challenge (although enabling it might be).
3. If you are a socially driven startup - be it reviews, comment or community - this could potentially be disastrous; add ‘data deletion' into your 'Mimimum Viable Product'.
4. If you are the local arm of a global business, but the development resides outside Europe, you may want to add the functionality in to your roadmap or production process now, rather than scrabble around next year trying to grab resources.
5. Do some spring-cleaning. The internet it still littered with ancient microsites from the dark ages - do us all a favour and just bin them!
6. Double check that when you say you are deleting something it's actually gone. This is often much harder than you think, especially with search engine caches, the Internet Archive and the recently launched UK libraries archive all trying to preserve the data, not destroy it!
7. Be wary about who you may be sharing or syndicating your data with. This is especially relevant to the publishing industry; digital editions that carry international comments may find themselves in a whole world of pain. Better to sort it now.
8. For those whose business model is not completely reliant on advertising, whilst not a solution, but a possible deterrent, you may want to consider not indexing some parts of your site to head a few folk off at the pass.
9. It should go without saying, but it’s worth factoring this in when planning new sites, apps and user-generated campaigns. Think of it as a data tax: the more you collect the more time you are likely to spend dealing with takedown requests. I’m sure after a while you’ll be able to actually calculate your exposure up front, but at the moment it’s up in the air.
10. In the UK and Europe, this will finally put an end to the question ‘Who owns the data?’ and the answer is rightly, The Consumer. If your business model is entirely reliant on the goodwill of your customers you better make sure you don't overly exploit them, as I suspect personal takedowns may become the protest mechanism of the future.
Don't assume this won’t affect you. This isn't like the nobody-really-cares Cookie Monstrosity, there is nothing worse than a disgruntled consumer with the law and the trolls on their side!
Overly pessimistic or just the tip of the iceberg? Have you had to deal with this yourself yet? Would self-regulation be a better route forward?
Jon Bains is a partner at business futures practice Atmosphere
Book your place now for Digital For Business Leaders - a one-day workshop for decision makers that will give you an understanding of digital’s impact on business, and provide you with a roadmap to plan your organisation’s future. To find out more and book your place in London, Manchester or Glasgow, click here.